Re: Vulnerabilities in *McAfee.com

["Thor (Hammer of God)" <thor () hammerofgod com>]

I have that very strip printed and on the wall in my office :)    You make several points, but the response that 
immediately comes to mind is that I actually see a difference between actively scanning content for structural/coding 
vulnerabilities, and entering data in a search box.  I don't know if there is any basis for this legally, but I feel 
that if you put a box up and I can search for something, then I can put whatever I want in that box.  You (the royal 
you) are basically soliciting people to put data in the box.   However, you are not asking anyone to spider your site 
or run scans against it.  

That said, my guess is that it would all come down to intent.  If I put ' or 1=1-- (like the site I had that some 
camper sniped) in, it's a pretty sure bet that I'm looking for SQL injection.  But I don't know if the search box 
"entitles" me to do that.  It certainly is interesting list fodder though...  

> -----Original Message-----
> From: Ryan Sears [mailto:rdsears () mtu edu]
> Sent: Wednesday, March 30, 2011 12:30 PM
> To: Thor (Hammer of God)
> Cc: full-disclosure; noloader () gmail com
> Subject: Re: [Full-disclosure] Vulnerabilities in *McAfee.com
>
>
> How about the scenario in which one statically audit's some javascript sitting
> on a site, to notice it does something in an unsafe manner, and can be used in
> a XSS attack without actually making it happen?. There was no actual
> 'attacking' done, but there was still a vulnerability discovered. Is THAT
> considered an illegal act? Is putting a '<3' into a web form/comment section
> considered attacking it if you look at the source to see how the character
> translated? What if you just wanted to make an ascii heart? My point is it's a
> very blurry line, and there are a lot of scenarios where one may discover a
> vulnerability without even having to do anything.
>
> As for the source code disclosures, there was absolutely no 'attacking' done.
> This was a huge oversight in the site devs, and they were giving that
> information to anyone who requested it, plain and simple. What about the
> Tumblr incident that happened a while ago? Just because they screwed up a
> production script, they ended up leaking massive amounts of internal
> infrastructure details, as well as private API keys, and other stuff that could be
> used for nefarious means. Is it illegal to visit that page? I think not, as THEY
> were putting the information out there (albeit by accident), but I as a user
> have no way to know that.
>
> I understand what you're saying about them not asking people to look for
> bugs, but it IS the internet. Companies don't typically ask external people to
> audit their executables either, but people do it for a number of reasons
> (mainly education).
>
> If they leave their site up, people will potentially poke at it. That's just the way
> it is. If I have a vested interest in a company (be it monetary or simply
> supporting it's cause), I personally want to see the site flourish, because I am
> then a part of that site. I want to make sure that my personal information is
> protected, and if I do find a bug somewhere, I report it. I recently found a XSS
> in OpenDNS's landing page, and they were very appreciative, very
> professional, and prompt to respond. This made me WANT to work with them
> further to ensure that their infrastructure was hardened to other forms of
> attack as well. I don't disclose these sorts of issues publicly, because I give the
> developers a chance to fix it, and in my past experience most companies are
> happy that I reported an issue, because I could have just as easily not said
> anything. If it does come down to it though, I follow my own public disclosure
> policy (http://talesofacoldadmin.com/disclosure.html) based off Rain Forest
> Puppy's. It basically just asks for somewhat consistent lines of communication
> after I disclose something. If the communication drops (or is non-existent),
> then it's at my own discretion to disclose it in a public forum.
>
> I don't HAVE to disclose anything to anyone, I CHOOSE to disclose it, but if
> choosing to disclose something (even in private) means potential legal
> troubles, then that takes away the motivation for me to disclose it in any
> form. I'm still going to be finding bugs for my own educational purposes, but
> I'll just stop disclosing them. That in itself starts to undermine the internet as a
> whole, leading to the restriction of information exchange, which is appalling.
>
> It IS technically illegal to do these sorts of tests without consent, but at what
> point DOES it become a 'test'? There's some cases, granted, in which the
> intention is clear (testing for blind SQL injections, etc) as they leave a huge
> footprint, but there's no explicitly clear line in which it becomes illegal. Is
> adding a ' to my name illegal? What if my 70+ year old grandmother did it by
> accident? Could she be persecuted as well? You can't apply the law to only
> some situations and not others.
>
> I also point you to one of my favorite XKCD's => http://xkcd.com/327/
>
> Is naming your kid something like that technically illegal? Then that starts
> getting into free-speech issues, which are most certainly protected by the
> constitution. If I want my name to be "Ann <!@#$%^&*()> Hero", and the site
> doesn't explicitly tell me I can't do so, then how can I be expected to
> reasonably know where their boundaries are? I don't see any terms of use for
> using their website anywhere.
>
> This is all just my opinion though, and sorry for the long message!
>
> Ryan
>
> ----- Original Message -----
> From: "Thor (Hammer of God)" <thor () hammerofgod com>
> To: "Ryan Sears" <rdsears () mtu edu>, noloader () gmail com
> Cc: "full-disclosure" <full-disclosure () lists grok org uk>
> Sent: Wednesday, March 30, 2011 2:12:37 PM GMT -05:00 US/Canada Eastern
> Subject: RE: [Full-disclosure] Vulnerabilities in *McAfee.com
>
> Well, I think there is a flip side to this, and that is the fact that no one is asking
> these people to inspect their sites for vulnerabilities.   They are taking it upon
> themselves to scan the sites actively looking for vulnerabilities for the sole
> purpose of exposing them.  They may say that they are doing it "to ensure
> that the vendors fix their problems" but it's not really any of their business to
> do so.
>
> I think someone would be hard pressed to justify (defend) their actions when
> they basically "attack" a site that they don't own, without permission, with the
> express intent of finding a vulnerability.  That's the difference between a
> "test" and an "attack."   It doesn't matter how trivial their finds are, or what
> the outcome of the scan is, it is the fact that no one asked, nor wants them to
> do this.
>
> Technically, what they are doing is in fact illegal - in the US anyway.   So there
> is another aspect of this that deserves some discussion, I think.
>
> t
>
>
> > -----Original Message-----
> > From: full-disclosure-bounces () lists grok org uk
> > [mailto:full-disclosure- bounces () lists grok org uk] On Behalf Of Ryan
> > Sears
> > Sent: Wednesday, March 30, 2011 10:45 AM
> > To: noloader () gmail com
> > Cc: full-disclosure
> > Subject: Re: [Full-disclosure] Vulnerabilities in *McAfee.com
> >
> > Seriously. I gotta say I feel like people at Cenzic (and Mcafee for
> > that matter), if anyone should understand that a XSS should really only
> > be construed a 'criminal act' if it's indeed used to attack someone. If
> > a group is taking the time out of their day to find and disclose issues
> > to Mcafee, they should probably be thankful. What about finding a
> > vulnerability in Mcafee's virus scanner? Could that be construed as a
> > 'criminal act' if they disclose it? Where do you draw the line?
> >
> > Basically this sort of thing pushes the community into silence until
> > something truly criminal happens. I'm not saying give anyone massive
> > amounts of credit for publishing a few XSS bugs (because there's
> > millions of them out there), but don't label them as a criminal for trying to
> help. That's just idiotic IMO.
> > If you run an enterprise level solution for antivirus AND web
> > vulnerability testing, the community understands that it's a process not
> unlike any other.
> > There will be bugs, but it only demolishes the image of Mcafee to see
> > them handle it like this in particular. If they would have been
> > appreciative about it, and promptly fixed their website (or at the very
> > least maintained friendly
> > contact) this incident would have pretty much gone un-noticed.
> >
> > Look at LastPass as an example.
> >
> > http://blog.lastpass.com/2011/02/cross-site-scripting-vulnerability.htm
> > l
> >
> > They had someone poking at their site, who managed to find a XSS bug
> > using CRLF injections. They were appreciative of the find, 2.5 hrs
> > later the issue was fixed, and there was that blog post about exactly
> > what they were going to do about it. They took full responsibility for
> > the fact that THEIR coding was to blame, and basically said 'This is
> > what happened, and this is why it will probably never happen again'.
> > This spoke hugely to me (as I'm sure it did the rest of the community)
> > because it shows a company that's willing to admit it made a mistake,
> > as opposed to sitting on their haunches and blaming people for looking
> > for these sorts of bugs. Oh and not every customer of their service has
> > to pay massive licensing fees, as there's a free version as well. In my
> > mind at least this equates to a company that cares more about their
> > customers that don't pay a single dime, then a company who forces
> > people to pay massive amounts of coin for shaky automated scanning and
> services. That's just the way I see it though.
> > Someone's gotta tell the emperor he has no clothes on.
> >
> > Ryan
> >
> > ----- Original Message -----
> > From: "Jeffrey Walton" <noloader () gmail com>
> > To: "YGN Ethical Hacker Group" <lists () yehg net>
> > Cc: "full-disclosure" <full-disclosure () lists grok org uk>
> > Sent: Wednesday, March 30, 2011 1:05:42 PM GMT -05:00 US/Canada
> Eastern
> > Subject: Re: [Full-disclosure] Vulnerabilities in *McAfee.com
> >
> > On Wed, Mar 30, 2011 at 8:44 AM, YGN Ethical Hacker Group
> > <lists () yehg net>
> > wrote:
> > > According to xssed.com,  there are two remaining XSS issues:
> > >
> > > https://kb.mcafee.com/corporate/index?page=content&id=";; alert(1); //
> > > https://kc.mcafee.com/corporate/index?page=content&id=";; alert(1); //
> > >
> > >
> > > You guys know our disclosed issues are very simple and can easily be
> > > found through viewing HTML/JS source codes and simple Google Hacking
> > (http://www.google.com/search?q=%22%3C%25+Dim++site%3Adownload.
> m
> > cafee.com).
> > > However,  it was criticized as 'illegal break-in' by Cenzic's CMO,
> > > http://www.cenzic.com/company/management/khera/,  according to
> > Network
> > > World News editor - Ellen Messmer.  Thus, the next target is Cenzic
> > > web site. Let's see how strong the Kung-Fu of Cenzic HailStorm
> > > scanner is.
> > Too funny.... I wonder is Aaron Barr is consulting for Cenzic.
> >
> > Jeff
> >
> > > > [SNIP]
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/